funsec mailing list archives
RE: MediaDefender Fires yesterdays IT security people, looking for new ones
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Mon, 17 Sep 2007 10:41:50 -0500
Thread worth watching: http://tinyurl.com/2og43d [Slashdot] http://slashdot.org/comments.pl?sid=299847 <http://slashdot.org/comments.pl?sid=299847&cid=20634957> &cid=20634957 "...the word on the street is simply that one of their staff signed up to a torrent site from one of MediaDefender's IPs with the same gmail address as username and password as he used for his gmail account where all hese e-mails had been archived." Heh, they all but went out of their way to provide access to the hackers. The top brass had his emails being forwarded to his Gmail account, bypassing any and all security they had set up on the corporate network. Then the hackers got the usernames and passwords and gained internal access to the network, establishing admin access on the domain. They apparently set up packet captures, or if MediaDefender were the ones capturing packets, they found them and this is where they captured the VoIP calls. "Keyloggers, we don't need no stinking keyloggers!" The worst infections to get rid of are those who have admin access to the network and who maintain their access using normal everyday network admin utilities (From my experience, the French are especially good at this). I have worked with sites that have been hacked where the intruders have obtained an administrator level password, then gone in and set up RPC over HTTPS on the domain servers, then the hackers have set up their own 2003 server, added it to the domain, promoted it to domain controller and had the hacked company's Domain Controller perform an outbound sync (using the RPC over HTTPS) to the hackers 2003 server. Any password changes the users make on the home network will be replicated to their off site "guest host" malicious server. The hackers later added Distributed File Shares or DFS, and used it to replicate file shares (i.e. user folders) information to their hacked domain controller. The hackers basically set themselves up as a run-of-the-mill remote office that synchronizes over a low-speed wan link. This company was totally Pwn3d... I wouldn't be surprised to see the same thing happened here with the amount of information they collected. -joel From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Adam Jacob Muller Sent: Sunday, September 16, 2007 5:07 PM To: Richard M. Smith Cc: funsec () linuxbox org Subject: Re: [funsec] MediaDefender Fires yesterdays IT security people, looking for new ones http://torrentfreak.com/more-mediadefender-leaks-070916/ "in a recently leaked phone call, a New York attorney and MediaDefender discuss the security of their email-server. Whilst there is some initial confusion as to where the leak may have originated, they eventually write it off as some technical problem" There is some irony here, i'm sure of it. "MediaDefender-Defenders proudly presents some more internal MediaDefender stuff. more will follow when time is ready. MediaDefender thinks they've shut out their internals from us. Thats what they think." "In addition the the phone call, a huge MySQL database dump from a MediaDefender server was leaked on BitTorrent as well. The database shows tracking and decoy file information for the Gnutella network which is used by P2P clients such as LimeWire." - Adam On Sep 15, 2007, at 5:20 PM, Richard M. Smith wrote: http://it.slashdot.org/it/07/09/15/1843234.shtml "The company MediaDefender works with the RIAA and MPAA against piracy, setting up fake torrents and trackers and disrupting p2p traffic. Previously, the TorrentFreak site accused them of setting up a fake internet video download site designed to catch and bust users. MediaDefender denied the entrapment charges. Now <http://torrentfreak.com/mediadefender-emails-leaked-070915/> 700MB of MediaDefender's internal emails from the last 6 months have been leaked onto BitTorrent trackers. The emails detail their entire plan, including how they intended to distance themselves from the fake company they set up and future strategies. Other pieces of company information were included in the emails such as logins and passwords, wage negotiations, and numerous other aspect of their internal business." _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MediaDefender is looking to hire IT security people Richard M. Smith (Sep 15)
- Re: MediaDefender Fires yesterdays IT security people, looking for new ones Adam Jacob Muller (Sep 16)
- RE: MediaDefender Fires yesterdays IT security people, looking for new ones Joel R. Helgeson (Sep 17)
- Re: MediaDefender Fires yesterdays IT security people, looking for new ones Adam Jacob Muller (Sep 16)